Recently, while doing some fraud trending and analysis, I was reviewing several news feeds trying to get a feel for current fraud events globally. The reality is that you don’t have to look very hard to find a “fraud pulse” as there is no shortage of news about people or corporations committing fraud anywhere. Corporate scandals like Olympus pop up to remind us that senior executives continue to commit fraud despite the fact that we are now ten years past one of the greatest corporate frauds of all time: Enron.
As we approach the end of the year the number of fraud cases being reported across all industries certainly aren’t slowing down despite efforts and government regulation to curtail it. Have you ever stopped to think about why that is? It’s an interesting question and my take is that if there’s one thing that’s constant… change.
Criminals committing fraud continually adapt their methods and schemes in accordance with regulation, anti-fraud methodologies, technology and controls being deployed by companies trying to safeguard their proprietary business information, consumer data, products and funds. There’s no shortage of stories in the news which demonstrate the diversity of fraud being committed globally.
Criminals continually attack the “weakest link,” which isn’t always a company with zero controls in place (although that’s highly likely) but may be a company with under-evaluated controls, technology, processes, procedures, policies or understaffed, undertrained or undereducated personnel in place to effectively handle the task.
The mistake many make when thinking about fraud and risk prevention, detection and investigation lies in their mindsets. Effective fraud prevention and risk mitigation simply aren’t a matter of “deploy the tools and forget about it.”
In fact, effective fraud prevention and risk mitigation must be a fluid and dynamic effort involving regular program review and analysis assessing both strengths and weaknesses (vulnerabilities). The result of this kind of review doesn’t necessarily require making wholesale changes, although it might if the business environment has changed significantly since program or control implementation. More likely, a company’s response might involve making minor control tweaks and adjustments in accordance with the risks being faced on a daily basis. This kind of ongoing adjustment is paramount in any effective risk mitigation strategy.
These types of program assessments should be conducted regularly. While every businesses definition of “regular” is going to vary, the type of business and risks referenced above usually dictate the frequency of the assessment, analysis and updates.
Quarterly assessments may be necessary for some businesses depending on the nature of the business and the markets they compete in, while other businesses may find that a semi-annual review is acceptable. At the very minimum, an annual operational anti-fraud and risk review should be scheduled and conducted but aside from scheduled operational assessments, threats and losses usually dictate the need and frequency.
I was reminded of this as we approach the end of the year and transition from 2011 to 2012. The New Year is a perfect opportunity for organizational review, analysis and anti-fraud metamorphosis to take place. Oftentimes, executives simply view this as a systems (technological) assessment, and while technology is certainly a core part of any good anti-fraud program, focusing exclusively on technological tools is a critical operational mistake as there are many other components that should be included in any anti-fraud “deep dive.”
Case in point, no matter how great the fraud prevention, detection or investigation technology is that your business deploys, it takes people to make systems work and according to Geoffrey Fowler in an article (What’s a Company’s Biggest Security Risk? You.) in The Wall Street Journal: “We are the weakest link.”
There are several schools of thought on this issue but as a fraud and investigations professional, having spent my entire career in the private sector, my opinion is that silos make for poor fraud risk management. In a world where corporate business units often build silos around their data, applications and personnel, this makes effective, corporate fraud prevention that much more difficult, if not impossible.
John Kotter, Professor of Leadership, Emeritus at the Harvard Business School, and I share the same opinion on the negative effect of corporate silos. In an article titled Breaking Down Silos, Kotter said, “Silos can arise in any firm, large or small, and are detrimental to organizational success.”
Senior management interested in a robust anti-fraud or risk mitigation platform must infuse an air of open communication, cooperation and holism into the anti-fraud and risk equation ensuring that all areas are working in conjunction with each other.
While it’s possible for individual business units to still have anti-fraud/risk mitigation success on their own, a siloed work environment usually ensures a closed atmosphere where the “left hand truly doesn’t know what the right hand is doing.” In this type of scenario smaller individual business unit successes may ultimately lead to larger company defeats and losses as there isn’t a more comprehensive, holistic anti-fraud plan in place which incorporates all business units working together.
The reality, from my experience, is that managers of silos often resist the requirement to be more cooperative and transparent, most often expressed in a territorial “I own it” manner. However, that type of individualistic attitude cannot deter senior management.
The most successful businesses I’ve come across recognize that successful fraud and risk management programs must utilize a holistic approach centered around getting key business unit leaders to the same table, providing them with an “actionable” agenda and ensuring that they are all working toward a common corporate goal: fraud/risk mitigation. This type of holistic effort increases ROI and translates directly to a corporation’s bottom line.
While there are tangible financial results from operating holistic fraud and risk mitigation programs, pulling this off requires senior management buy-in and oversight (starting in the C-suite) to ensure that all relevant business units (i.e. audit, compliance, fraud, finance, legal, infosec, security etc.) contribute to the company’s fraud/risk mitigation effort in a well thought out, planned and orchestrated manner.
Management oversight and responsibility for these kinds of programs is found in the executive summary of the COSO Enterprise Risk Management (ERM) Integrated Framework:
“Everyone in an entity has some responsibility for enterprise risk management. The chief executive officer is ultimately responsible and should assume ownership. Other managers support the entity’s risk management philosophy, promote compliance with its risk appetite, and manage risks…”
While no fraud/risk mitigation plans are foolproof, there are many steps you can take to ensure your company has a healthy anti-fraud environment in 2012. Here are five things to think about:
1. Be Proactive – Don’t wait until your company is front-page news in The Wall Street Journal before taking action to patch the holes and prevent further fraud. Get out in front of your fraud/risk mitigation effort before it’s too late.
2. Evaluate Controls Regularly – Fraud and risk controls should be evaluated regularly in accordance with changes in the market, regulatory, legal, compliance, audit or business environment.
3. Think Like a Criminal – Flip it around. How would you attack your company if you were on the other side of the fence? Identify those weaknesses, then plug those holes.
4. Outside Evaluation – The old adage “you can’t see the forest through the trees” definitely applies here. After you’ve stared at your fraud and risk methodologies long enough, you won’t see the obvious holes. Bring in a fraud expert to independently evaluate your fraud operation and help identify key business areas that can be strengthened and improved. A fresh set of eyes may quickly see what you cannot.
5. Think Holistically – While there is no “I” in team, there are two in holistic. Get all your business units on the same page, make sure they’re communicating openly and working together on the same risk and anti-fraud agenda.
All this leads me to one important question: “How is your business positioned for the fraud challenges that 2012 will certainly bring?”
The new year is right around the corner and if you haven’t already, there’s no better time than now to conduct your annual assessment … if you’re thorough, you might be surprised at the fraud vulnerabilities you discover and can fix before they become front-page news! If you aren’t, the criminals will gladly find, and exploit, your weaknesses for you.
Sign up for our free weekly e-newsletter for more GRC articles, job postings, GRC events, white papers & more…..click here
About the Author Daniel W. Draz is the principal of Fraud Solutions, an international fraud consulting firm. He has 26 years of successful fraud investigation, fraud training, fraud prevention, fraud management, risk (management and investigation), audit, regulatory and compliance experience exclusively in the financial services sector. In his previous role, he was the corporate investigations manager at TransUnion LLC, where he over saw the Corporate Investigations Department, also serving as the global anti-fraud liaison to TransUnion’s operations in 25 foreign countries on six continents. Additionally, his responsibilities included oversight for all internal employee investigations involving violations of ethics, code of business conduct, hotline and acceptable technology usage policies and procedures. Daniel’s staff also investigated all customer interfacing matters and violations, violations of customer contract agreements, violations of federal rules and regulations governing permissible purpose, access of consumer credit information and cases with federal law enforcement agencies involving rings, organized criminal activity and national security matters. Prior to joining TransUnion, Daniel was a fraud investigator in the Special Investigations Unit at Standard Insurance Company in Portland, Oregon. In that capacity, he conducted sophisticated insurance (life, health and disability) investigations (civil and criminal) into questionable/fraudulent claims; referred insurance fraud investigations to local, state and federal law enforcement agencies nationwide for prosecution consideration; coordinated investigations with law enforcement agencies and prosecutors; and advised counsel, senior management and business units on fraud issues/problems/solutions. Additionally, he was also responsible for development and delivery of anti-fraud training programs and training on red flags/fraud avoidance/investigation procedures/methods to minimize exposure to financial loss. Previously, Daniel owned and operated an investigative and fraud consulting agency in California, providing specialized fraud consulting, investigative and litigation consulting services to businesses and corporations, insurance companies, self-insureds, financial services firms, large law firms, government agencies, telecom carriers and select individual clients nationally. Daniel has been a Certified Fraud Examiner (CFE) since 1996 and is a member of the American Society for Industrial Security’s (ASIS) Economic Crime Council. He has an M.S. in Economic Crime Management from Utica College (2005) and a B.S. in Criminal Justice from Arizona State University (1985). He currently holds adjunct professorships at four colleges, where he teaches a variety of graduate and undergraduate classes involving various forms of fraud, economic crime, white collar crime and criminal justice. He also has extensive experience teaching both in the classroom and online, and with developing unique academic curriculum. Daniel is a former member of the International Association of Special Investigation Units (IASIU) and a frequent speaker at national industry conferences. He is formerly associate editor, fraud investigations for PI (Private Investigator) Magazine, where he wrote on a variety of fraud-related topics. Daniel also created the first insurance fraud column for FRAUD Magazine, the official publication of the Association of Certified Fraud Examiners and is an occasional contributor to SIU Today, the official publication of the International Association of Special Investigations Units. He has been published over 40 times in industry and trade publications over the years and frequently mentors other investigators and fraud professionals around the country. To contact Daniel, email him at firstname.lastname@example.org. Daniel writes a regular column, Fraud Flashpoints, for Corporate Compliance Insights.